After the exchanges, also known as health insurance marketplaces, debuted Tuesday, users reported difficulty using them, to either price or sign up for insurance. At the federal level, White House officials blamed the glitches -- which persisted throughout last week -- on the large number of visitors to healthcare.gov, which saw 4.7 million unique visitors in its first 24 hours, and 9 million in total by Friday.

Sunday, however, federal officials admitted that healthcare.gov would require both code-level improvements as well as increased server capacity. "We can do better and we are working around the clock to do so," Department of Health and Human Services spokeswoman Joanne Peters toldThe Wall Street Journal. Forthcoming improvements will reportedly include both software and hardware changes.

To that list of fixes, however, the federal government -- which through healthcare.gov is currently supporting or running health insurance exchanges for 36 states -- and 14 states that are running their own exchangesmight want to add a handful of information security improvements.

Here are five top concerns:

1. All-Access Request For Other Sites

According to Nidhi Shah, who works on research and development for HP's Web Security Research Group, healthcare.gov uses an HTML5 header that allows any site to make an AJAX request to healthcare.gov, then see a response. "We could not access [the] authenticated area of healthcare.gov -- the site was overloaded -- but if this is the policy applied to any authenticated page of the site, it could expose the site to serious threats like cross-site request forgery (CSRF)," Shah said in a blog post. CSRF attacks, which have a place on the SANS list of the 25 most dangerous software errors (at #12), refer to trickinga targeted website into disclosing sensitive information.

2. Clickjacking Threat

The second major healthcare.gov security concern is the site's lack of clickjacking defenses. Using clickjacking, an attacker could overlay invisible elements on the legitimate website, so that, for example, if a user clicked what appeared to be a real link, it might run a malicious script instead. "To our surprise, healthcare.gov does not deploy any defense and the site can be easily framed inside an HTML iFrame tag," Shah said. In the past, many websites have used JavaScript "framekillers" to mitigate this type of vulnerability. "However, the introduction of the iFrame Sandbox attribute in the HTML5 specification has rendered that approach useless," she said.

3. Cookie Theft

According to Shah, healthcare.gov fails to employ HttpOnly, which restricts access to cookies stored on a PC, in particular defending them against malicious scripts. The site also fails to employ secure flags for cookies, which prevents cookies from being transmitted in plaintext -- which makes them vulnerable to eavesdropping -- by only transmitting cookies after an HTTPS session has first been established.

"Healthcare.gov uses cookies to maintain user history on the site and [for] user identification," said Shah. Although she doesn't know if the cookies will also save a user's credentials, an attacker could at least retrieve "sensitive information such as ... possible health issues, income level, and marital status," she said, that most people would rather remain private.

I don't think the lack of availability will pose a security risk. I think any failures will simply result in the site being unavailable.

Still, the domain of load management and load balancing seems pretty circa-late-1990s. Meaning that with proper prep time, all of this should have been ironed out well in advance. But as you noted in your tech critique of the insurance exchanges, owing perhaps to the timelines involved (short) and logic requirements (complex, given the complex law that the site and its workflows must accommodate), obviously too little time has been spent to ensure the site can meet projected demand.

Data quality also sounds like an ongoing challenge, with insurers reporting last week that they had seen few (if any) actual applications, suggesting that the system isn't yet as automated -- and the source data as clean -- as it will need to be.

On the flip side, in this era of agile development, perhaps there are some upsides to the current scenario? The high-profile launch, while frustrating for users, has lit a fire under development teams, and whoever is holding their purse strings. How many federal and state IT projects in the past have too often exceeded their budgets, been "over-redesigned" throughout implementation and as a result faced interminable delays, if ever reaching fruition? But heathcare.gov is now live. The development team must iterate, refine and improve the system to the point where it should have been, prior to being launched.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.